[CRUC-8169] XSS in the view review history resource through invited reviewers - CVE-2017-18089 - Create and track feature requests for Atlassian products.

Type: Bug
Resolution: Fixed
Priority: Medium
Fix Version/s: 4.4.3, 4.5.0
Affects Version/s: None
Component/s: None
Labels:

Symptom Severity:
Severity 2 - Major
Bug Fix Policy:
View Atlassian Server bug fix policy

The view review history resource in Atlassian Crucible before version 4.4.3 (the fixed version for 4.4.x) and 4.5.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the invited reviewers for a review.

Owen made changes - 16/Oct/2018 8:14 AM

Workflow

Original: FE-CRUC Bug Workflow [ 2941852 ]

New: JAC Bug Workflow v3 [ 2954329 ]

Owen made changes - 16/Oct/2018 4:41 AM

Workflow

Original: FECRU Development Workflow - Triage - Restricted [ 2594763 ]

New: FE-CRUC Bug Workflow [ 2941852 ]

David Black made changes - 16/Feb/2018 3:40 AM

Labels

Original: CVE-2017-18089 advisory advisory-to-release cvss-medium security xss

New: CVE-2017-18089 advisory advisory-released cvss-medium security xss

David Black made changes - 16/Feb/2018 3:39 AM

Security

Original: Atlassian Staff [ 10750 ]

David Black made changes - 16/Feb/2018 3:38 AM

Summary

Original: XSS in the review history resource through invited reviewers - CVE-2017-18089

New: XSS in the view review history resource through invited reviewers - CVE-2017-18089

David Black made changes - 16/Feb/2018 3:38 AM

Description

Original: The review history resource in Atlassian Crucible before version 4.4.3 (the fixed version for 4.4.x) and 4.5.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the invited reviewers for a review.

New: The view review history resource in Atlassian Crucible before version 4.4.3 (the fixed version for 4.4.x) and 4.5.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the invited reviewers for a review.

David Black made changes - 16/Feb/2018 3:35 AM

Labels

Original: CVE-2017-18089 advisory advisory-to-release cvss-medium security

New: CVE-2017-18089 advisory advisory-to-release cvss-medium security xss

David Black made changes - 16/Feb/2018 3:34 AM

Summary

Original: CVE-2017-18089

New: XSS in the review history resource through invited reviewers - CVE-2017-18089

David Black made changes - 16/Feb/2018 3:34 AM

Description

Original: The review history resource in Atlassian Crucible before version 4.4.3 (the fixed version for 4.4.x) and 4.5.0 allows remote attackers to IMPACT via a VULN_INFO.

New: The review history resource in Atlassian Crucible before version 4.4.3 (the fixed version for 4.4.x) and 4.5.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the invited reviewers for a review.

David Black made changes - 16/Feb/2018 3:30 AM

Description

Original: Component in Atlassian Crucible from version 4.4.1 before version 4.4.3 allows remote attackers to IMPACT via a VULN_INFO.

New: The review history resource in Atlassian Crucible before version 4.4.3 (the fixed version for 4.4.x) and 4.5.0 allows remote attackers to IMPACT via a VULN_INFO.

Assignee:: Unassigned

Reporter:: Security Metrics Bot

Affected customers:: 0 This affects my team

Watchers:: 1 Start watching this issue

Created:: 02/Feb/2018 12:10 AM

Updated:: 16/Feb/2018 3:40 AM

Resolved:: 02/Feb/2018 3:16 AM

Details

Description

Attachments

Forms

Activity

[CRUC-8169] XSS in the view review history resource through invited reviewers - CVE-2017-18089

People

Dates